Richard Bejtlich's blog on digital security, strategic thought, and military history.

Tuesday, April 18, 2006

Best Comment of the Year

If you don't read the comments for this blog you missed the best response of the year, attached to my earlier story on rootkit.com. T. Arthur points out the irony of a Hacking Exposed author pointing the finger at rootkit.com. Apparently Hacking Exposed is "the best selling computer security book ever, with more than 500,000 copies sold."

Does that mean Stu and friends created half a million more threats? Are they responsible for all the script kiddies running attacks they learned about in HE? If you follow McAfee's logic, the answer is yes. If you follow mine, the answer is no.

4 comments:

I already posted a comment to the relevant entry, but here is one more insight. McAfee's AV product caused a major headache for its customers a short time ago. The AV engine was deleting key files on customers' systems due to poorly written virus definitions. Is it possible that McAfee is deflecting people's attention from its own severe gaffe by slandering an innocent third party. It may also be that McAfee used the rootkit.com code in its virus definitions and didn't perform any QA testing before rolling out the new definitions. So, they are blaming the hand that fed them when it is their own fault. Since I don't know what signature was involved or where it came from, this is only speculation. A URL is here:http://www.computerweekly.com/Articles/2006/03/28/215039/McAfeeanti-virusglitchleavesfirmsstrugglingtorestoresystems.htm

1) McAfee has no business addressing things like this book or rootkits.com. Stick to your products. Whenever a commercial vendor comes out like this making statements and other stirring remarks that the sky is falling, it always strikes me as deeply self-serving. Gee, if we panic everyone, will we sell more product? *sigh*

2) How can you defend against something or someone that you do not know about, or how they operate? Security people need to know how malicious programs and users work so that they can most efficiently defend and protect assets.

This is not a new concept, in fact, look to the ages-old industry of physical security. You can even turn on the Discovery Channel most afternoons and be entertained with It Takes a Thief, a show that has reformed thieves (supposedly) breaking into people's homes to illustrate exactly what a thief would do. They then enact safeguards to protect against thieves, and then try once more to break in to show how the safeguards worked.

This is an awesome show, although early versions seemed pretty mean as they didn't show that they told people they were breaking in (and you see the subsequent heart-breaking panic as they feel violated...).

Is this show teaching people how to be better thieves?

In addition, most of the people on the show are aware their security is not up to date, but they really believe they have "enough" to stop thieves...until shown otherwise just how easy it still is.

If we cannot learn attacks and how to do them so that we can defend against them, then also how are we to even show that our work is effective? Do we invite hackers to hack in and test? Contests? Pray and see? No, you learn how to do it, and then you test, and test again.

Books like these are necessary, and as much as some people have panic attacks about them, this is a growing and burgeoning industry, and there is no reason to cry over something that WILL happen and continue to expand.

Security vulns, and rootkits -- how they effect people and the question of if they should be published is not a question that the security community is one qualified to even answer. Every person in this debate so far has a angle on the debate.

The real question is for those who study economics. Now, lets get on with the real work.